MFA Examples

The following are valid phone numbers to be used with SMS authentication:

  • +4701234567
  • +34012345678
  • +10123456789

The following are NOT valid phone numbers to be used with SMS authentication:

  • 004701234567 (it uses the 00 prefix instead of +)
  • 4701234567 (it does not use the international prefix +)
  • +470123456 (the number has incorrect length)
  • +47 01 23 45 67 (it contains spaces)
  • +1-012-345-6789 (it contains dashes)

The following are valid secrets to be used with the Authenticator method:

  • ABCDEFGHIJ234567
  • MKMPIDBZ2UOUSCTZ
  • ABCDEFGHIJKLMNOP
  • 2345672345672345

The following are NOT valid secrets to be used with the Authenticator method:

  • abcdefghijklmnop (it uses lowercase characters)
  • 0123456789012345 (it uses numbers other than those from 2 to 7)
  • 0123456789 (it uses invalid numbers and is shorter than 16)
  • 234567ABC (it uses valid characters and numbers but is shorter than 16).
  • ABCDEFGHIJKLMNOPQRSTUVWXYZ (it uses valid characters but is longer than 16)
  • ABC +=1234567DEF (it uses invalid symbols)

The following are valid values for the norEduPersonServiceAuthnLevel attribute. Please note that line feeds are used for display purposes and should be disregarded:

  • urn:mace:feide.no:spid:all urn:mace:feide.no:auth:level:fad08:3 (enable multifactor authentication for all services)
  • urn:mace:feide.no:spid:123 urn:mace:feide.no:auth:level:fad08:3 (enable multifactor authentication for the service with Service ID number 123)

The following are valid values for the norEduPersonAuthnMethod attribute. Please note that line feeds are used for display purposes and should be disregarded.

  • For a device labeled “Mobile”

    urn:mace:feide.no:auth:method:ga eyJhbGciOiAiUlNBLU9BRVAiLCAiZW
    5jIjogIkExMjhDQkMtSFMyNTYifQ.X7IU3zolmVtGzXxfKIxJLyvP5KNnqEdDG
    JBQNx8Y8VwvvdoeGjTiiU0V5OJKykylEhUITVTQ1l5snlBndVtVSjlkhK7CVZx
    12OUcferIIC90tBg-GJRbom-RWVIYbXdB1jcUwMaUPZB49yoquhP1mTfFv76e9
    5uize124XfyowcrM6dnPWhSSuPgDzp3_oA8e5Z6U1qzm-mDHe3BF1krNBXQjwx
    HWY4lC1zd7wbIGhBcngqmK8-ebRyDelMUpbOSgADWiQxdTeEkXVSOEn3JKiRuo
    YhggePNWM1rGnarooUktnuxdK6pggRSIAPkzM-ghJEDPtuk5gc5NSWNBE0x3g.
    LgmSqnSduW8WnpUjPfF4Gg.In2Wd2AU-6OMRxFily8EbKtmG4gC5EnKyyYZthk
    aM9w.MWE29ywstyWKCrCUttUYZg label=Mobile
    
  • For a device labeled “My mobile phone”

    urn:mace:feide.no:auth:method:ga eyJhbGciOiAiUlNBLU9BRVAiLCAiZW
    5jIjogIkExMjhDQkMtSFMyNTYifQ.X7IU3zolmVtGzXxfKIxJLyvP5KNnqEdDG
    JBQNx8Y8VwvvdoeGjTiiU0V5OJKykylEhUITVTQ1l5snlBndVtVSjlkhK7CVZx
    12OUcferIIC90tBg-GJRbom-RWVIYbXdB1jcUwMaUPZB49yoquhP1mTfFv76e9
    5uize124XfyowcrM6dnPWhSSuPgDzp3_oA8e5Z6U1qzm-mDHe3BF1krNBXQjwx
    HWY4lC1zd7wbIGhBcngqmK8-ebRyDelMUpbOSgADWiQxdTeEkXVSOEn3JKiRuo
    YhggePNWM1rGnarooUktnuxdK6pggRSIAPkzM-ghJEDPtuk5gc5NSWNBE0x3g.
    LgmSqnSduW8WnpUjPfF4Gg.In2Wd2AU-6OMRxFily8EbKtmG4gC5EnKyyYZthk
    aM9w.MWE29ywstyWKCrCUttUYZg label=My%20mobile%20phone
    
  • For a device labeled “% = %”

    urn:mace:feide.no:auth:method:ga eyJhbGciOiAiUlNBLU9BRVAiLCAiZ
    W5jIjogIkExMjhDQkMtSFMyNTYifQ.X7IU3zolmVtGzXxfKIxJLyvP5KNnqEdD
    GJBQNx8Y8VwvvdoeGjTiiU0V5OJKykylEhUITVTQ1l5snlBndVtVSjlkhK7CVZ
    x12OUcferIIC90tBg-GJRbom-RWVIYbXdB1jcUwMaUPZB49yoquhP1mTfFv76e
    95uize124XfyowcrM6dnPWhSSuPgDzp3_oA8e5Z6U1qzm-mDHe3BF1krNBXQjw
    xHWY4lC1zd7wbIGhBcngqmK8-ebRyDelMUpbOSgADWiQxdTeEkXVSOEn3JKiRu
    oYhggePNWM1rGnarooUktnuxdK6pggRSIAPkzM-ghJEDPtuk5gc5NSWNBE0x3g
    .LgmSqnSduW8WnpUjPfF4Gg.In2Wd2AU-6OMRxFily8EbKtmG4gC5EnKyyYZth
    kaM9w.MWE29ywstyWKCrCUttUYZg label=%25%20%3D%20%25
    

The following are NOT valid values for the norEduPersonAuthnMethod attribute. Please note that line feeds are used for display purposes and should be disregarded.

  • The method identifier URN does not correspond with Feide’s Authenticator method

    urn:mace:feide.no:auth:method:authenticator eyJhbGciOiAiUlNBLU9
    BRVAiLCAiZW5jIjogIkExMjhDQkMtSFMyNTYifQ.X7IU3zolmVtGzXxfKIxJLy
    vP5KNnqEdDGJBQNx8Y8VwvvdoeGjTiiU0V5OJKykylEhUITVTQ1l5snlBndVtV
    SjlkhK7CVZx12OUcferIIC90tBg-GJRbom-RWVIYbXdB1jcUwMaUPZB49yoquh
    P1mTfFv76e95uize124XfyowcrM6dnPWhSSuPgDzp3_oA8e5Z6U1qzm-mDHe3B
    F1krNBXQjwxHWY4lC1zd7wbIGhBcngqmK8-ebRyDelMUpbOSgADWiQxdTeEkXV
    SOEn3JKiRuoYhggePNWM1rGnarooUktnuxdK6pggRSIAPkzM-ghJEDPtuk5gc5
    NSWNBE0x3g.LgmSqnSduW8WnpUjPfF4Gg.In2Wd2AU-6OMRxFily8EbKtmG4gC
    5EnKyyYZthkaM9w.MWE29ywstyWKCrCUttUYZg label=Mobile
    
  • The encrypted secret is not a valid secret

    urn:mace:feide.no:auth:method:ga eyJhbGciOiAiUlNBLU9BRVAiLCAiZW
    5jIjogIkExMjhDQkMtSFMyNTYifQ..MWE29ywstyWKCrCUttUYZg label=Mobile
    
  • The Authenticator secret is not encrypted

    urn:mace:feide.no:auth:method:ga ABCDEFGHIJ234567 label=Mobile
    
  • The encrypted secret contains equal signs that are not percent encoded

    urn:mace:feide.no:auth:method:ga eyJhbGciOiAiUlNBLU9BRVAiLCAiZ
    W5jIjogIkExMjhDQkMtSFMyNTYifQ.X7IU3zolmVtGzXxfKIxJLyvP5KNnqEdD
    GJBQNx8Y8VwvvdoeGjTiiU0V5OJKykylEhUITVTQ1l5snlBndVtVSjlkhK7CVZ
    x12OUcferIIC90tBg-GJRbom-RWVIYbXdB1jcUwMaUPZB49yoquhP1mTfFv76e
    95uize124XfyowcrM6dnPWhSSuPgDzp3_oA8e5Z6U1qzm-mDHe3BF1krNBXQjw
    xHWY4lC1zd7wbIGhBcngqmK8-ebRyDelMUpbOSgADWiQxdTeEkXVSOEn3JKiRu
    oYhggePNWM1rGnarooUktnuxdK6pggRSIAPkzM-ghJEDPtuk5gc5NSWNBE0x3g
    .LgmSqnSduW8WnpUjPfF4Gg.In2Wd2AU-6OMRxFily8EbKtmG4gC5EnKyyYZth
    kaM9w.MWE29ywstyWKCrCUttUYZg=== label=Mobile
    
  • The label contains spaces and percent signs that are not percent encoded

    urn:mace:feide.no:auth:method:ga eyJhbGciOiAiUlNBLU9BRVAiLCAiZ
    W5jIjogIkExMjhDQkMtSFMyNTYifQ.X7IU3zolmVtGzXxfKIxJLyvP5KNnqEdD
    GJBQNx8Y8VwvvdoeGjTiiU0V5OJKykylEhUITVTQ1l5snlBndVtVSjlkhK7CVZ
    x12OUcferIIC90tBg-GJRbom-RWVIYbXdB1jcUwMaUPZB49yoquhP1mTfFv76e
    95uize124XfyowcrM6dnPWhSSuPgDzp3_oA8e5Z6U1qzm-mDHe3BF1krNBXQjw
    xHWY4lC1zd7wbIGhBcngqmK8-ebRyDelMUpbOSgADWiQxdTeEkXVSOEn3JKiRu
    oYhggePNWM1rGnarooUktnuxdK6pggRSIAPkzM-ghJEDPtuk5gc5NSWNBE0x3g
    .LgmSqnSduW8WnpUjPfF4Gg.In2Wd2AU-6OMRxFily8EbKtmG4gC5EnKyyYZth
    kaM9w.MWE29ywstyWKCrCUttUYZg label=My mobile %phone
    

The following is a valid QR code to configure an Authenticator instance with the label My device and the secret ABCDEFGHIJ234567:

Authenticator QR-code